From 84ab0478f9dd7f7f8dc92aa1edaf6b71fe28035b Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Tue, 20 Mar 2012 18:38:13 -0500
Subject: dns: more hardening

- don't trust rr.rdlength
- don't accept replies we know are impossible for AAAA/A records
- don't try to process record types we do not know about specifically
  (this behaviour just leads to disaster)
---
 src/dns.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/dns.cpp b/src/dns.cpp
index 2bfa0be20..21b0d9e39 100644
--- a/src/dns.cpp
+++ b/src/dns.cpp
@@ -845,16 +845,21 @@ DNSInfo DNSRequest::ResultIsReady(DNSHeader &header, int length)
 			res[o] = 0;
 		break;
 		case DNS_QUERY_AAAA:
+			if (rr.rdlength != sizeof(struct in6_addr))
+				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 16 bytes for an ipv6 entry -- malformed/hostile packet?");
+
 			memcpy(res,&header.payload[i],rr.rdlength);
 			res[rr.rdlength] = 0;
 		break;
 		case DNS_QUERY_A:
+			if (rr.rdlength != sizeof(struct in_addr))
+				return std::make_pair((unsigned char *) NULL, "rr.rdlength is larger than 4 bytes for an ipv4 entry -- malformed/hostile packet?");
+
 			memcpy(res,&header.payload[i],rr.rdlength);
 			res[rr.rdlength] = 0;
 		break;
 		default:
-			memcpy(res,&header.payload[i],rr.rdlength);
-			res[rr.rdlength] = 0;
+			return std::make_pair((unsigned char *) NULL, "don't know how to handle undefined type (" + ConvToStr(rr.type) + ") -- rejecting");
 		break;
 	}
 	return std::make_pair(res,"No error");
-- 
cgit v1.2.3